Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I keep getting redirected by google.


  • This topic is locked This topic is locked
14 replies to this topic

#1 hasseth

hasseth

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 01 August 2012 - 12:16 PM

I've been redirected by Google occasionally for a few weeks now. I have tried to rid myself of this with Norton, Malwarebytes, Tdsskiller, and Combofix. I used combofix before I found this site, and didn't hear not to until asked. I will post the log along with the requested log. I ran Combofix in safe mode.

I run 64 bit Windows Vista. I will reply as soon as possible with any information you may need, and to do anything I am asked to do.

DDS text

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_31
Run by Hasseth at 13:11:16 on 2012-08-01
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.6111.4378 [GMT -4:00]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe
C:\Users\Hasseth\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\notepad.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\Hasseth\Downloads\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerPlugin_11_3_300_268.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://blekko.com?source=c3348dd4&tbp=homepage&toolbarid=blekkotb&u=20120330CE234B61AB5B6DB1B4A8E7DC
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\IPS\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
uRun: [Steam] "C:\Program Files (x86)\Steam\steam.exe" -silent
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
StartupFolder: C:\Users\Hasseth\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\Hasseth\AppData\Roaming\Dropbox\bin\Dropbox.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~3\Office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1D2EA74-EA7D-462D-B3D4-B2DA6A3442E6} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1D2EA74-EA7D-462D-B3D4-B2DA6A3442E6}\76271636965607F6F6 : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{B1D2EA74-EA7D-462D-B3D4-B2DA6A3442E6}\A4F686E63747F6E6022516E646F6C60786 : DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{B1D2EA74-EA7D-462D-B3D4-B2DA6A3442E6}\C696E6B6379737 : DhcpNameServer = 75.75.75.75 75.75.76.76
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Norton Identity Protection: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
BHO-X64: Norton Identity Protection - No File
BHO-X64: Norton Vulnerability Protection: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\IPS\IPSBHO.DLL
BHO-X64: Norton Vulnerability Protection - No File
BHO-X64: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~3\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\coIEPlg.dll
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mRun-x64: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
SEH-X64: Groove GFS Stub Execution Hook: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\PROGRA~2\MICROS~3\Office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Hasseth\AppData\Roaming\Mozilla\Firefox\Profiles\gl0zw8e0.default\
FF - prefs.js: browser.startup.homepage - Google.com
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Common Files\Wolfram Research\Browser\8.0.1.2063897\npmathplugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Users\Hasseth\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_11_3_300_268.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\SYMDS64.SYS [?]
R0 SymEFA;Symantec Extended File Attributes;C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\SYMEFA64.SYS [?]
R1 BHDrvx64;BHDrvx64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\BASHDefs\20120711.002\BHDrvx64.sys [2012-7-11 1161376]
R1 ccSet_NIS;Norton Internet Security Settings Manager;C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys --> C:\Windows\system32\drivers\NISx64\1301000.01C\ccSetx64.sys [?]
R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;C:\Windows\system32\DRIVERS\dtsoftbus01.sys --> C:\Windows\system32\DRIVERS\dtsoftbus01.sys [?]
R1 IDSVia64;IDSVia64;C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.0.28\Definitions\IPSDefs\20120731.001\IDSviA64.sys [2012-7-31 509088]
R1 SymIRON;Symantec Iron Driver;C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\Ironx64.SYS [?]
R1 SYMNETS;Symantec Network Security WFP Driver;C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS --> C:\Windows\system32\drivers\NISx64\1301000.01C\SYMNETS.SYS [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-6-6 64952]
R2 hpsrv;HP Service;C:\Windows\system32\Hpservice.exe --> C:\Windows\system32\Hpservice.exe [?]
R2 NIS;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\19.1.0.28\ccSvcHst.exe [2012-8-1 138760]
R2 TeamViewer7;TeamViewer 7;C:\Program Files (x86)\TeamViewer\Version7\TeamViewer_Service.exe [2012-3-3 2886528]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;C:\Windows\system32\DRIVERS\NETw5s64.sys --> C:\Windows\system32\DRIVERS\NETw5s64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 SkypeUpdate;Skype Updater;C:\Program Files (x86)\Skype\Updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-4-3 250056]
S3 BTCFilterService;USB Networking Driver Filter Service;C:\Windows\system32\DRIVERS\motfilt.sys --> C:\Windows\system32\DRIVERS\motfilt.sys [?]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;C:\Program Files (x86)\Dragon Age\bin_ship\daupdatersvc.service.exe [2009-12-15 25832]
S3 ivusb;Initio Driver for USB Default Controller;C:\Windows\system32\DRIVERS\ivusb.sys --> C:\Windows\system32\DRIVERS\ivusb.sys [?]
S3 MHIKEY10;MHIKEY10;C:\Windows\system32\Drivers\MHIKEY10x64.sys --> C:\Windows\system32\Drivers\MHIKEY10x64.sys [?]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE [2010-1-21 30963576]
S3 motandroidusb;Mot ADB Interface Driver;C:\Windows\system32\Drivers\motoandroid.sys --> C:\Windows\system32\Drivers\motoandroid.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;C:\Windows\system32\DRIVERS\motccgp.sys --> C:\Windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;C:\Windows\system32\DRIVERS\motccgpfl.sys --> C:\Windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;C:\Windows\system32\DRIVERS\Motousbnet.sys --> C:\Windows\system32\DRIVERS\Motousbnet.sys [?]
S3 MozillaMaintenance;Mozilla Maintenance Service;C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-4-24 113120]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;C:\Windows\system32\DRIVERS\netw5v64.sys --> C:\Windows\system32\DRIVERS\netw5v64.sys [?]
S3 osppsvc;Office Software Protection Platform;C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-1-9 4925184]
S3 SophosVirusRemovalTool;Sophos Virus Removal Tool;C:\Program Files (x86)\Sophos\Sophos Virus Removal Tool\SVRTservice.exe [2012-6-19 151104]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-08-01 17:02:31 174200 ----a-w- C:\Windows\System32\drivers\SYMEVENT64x86.SYS
2012-08-01 17:02:31 -------- d-----w- C:\Program Files\Symantec
2012-08-01 17:02:31 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2012-08-01 17:01:48 729720 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\srtsp64.sys
2012-08-01 17:01:48 451192 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\SymDS64.sys
2012-08-01 17:01:48 401016 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\symnets.sys
2012-08-01 17:01:48 37496 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\srtspx64.sys
2012-08-01 17:01:48 189560 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\Ironx64.sys
2012-08-01 17:01:48 167048 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\ccSetx64.sys
2012-08-01 17:01:48 1084536 ----a-r- C:\Windows\System32\drivers\NISx64\1301000.01C\SymEFA64.sys
2012-08-01 17:01:35 -------- d-----w- C:\Windows\System32\drivers\NISx64\1301000.01C
2012-08-01 17:01:35 -------- d-----w- C:\Windows\System32\drivers\NISx64
2012-08-01 17:01:33 -------- d-----w- C:\Program Files (x86)\Norton Internet Security
2012-08-01 16:56:25 -------- d-----w- C:\Program Files (x86)\NortonInstaller
2012-08-01 15:01:54 98816 ----a-w- C:\Windows\sed.exe
2012-08-01 15:01:54 518144 ----a-w- C:\Windows\SWREG.exe
2012-08-01 15:01:54 256000 ----a-w- C:\Windows\PEV.exe
2012-08-01 15:01:54 208896 ----a-w- C:\Windows\MBR.exe
2012-07-31 20:28:30 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-19 01:51:04 -------- d-----w- C:\Program Files (x86)\Common Files\Symantec Shared
2012-07-19 01:46:49 -------- d-----w- C:\ProgramData\Norton
2012-07-19 01:39:44 -------- d-----w- C:\ProgramData\NortonInstaller
2012-07-18 04:25:00 -------- d-----w- C:\Windows\pss
2012-07-17 21:38:46 -------- d-----w- C:\Program Files (x86)\CDisplayEx
2012-07-13 22:41:14 -------- d-----w- C:\ProgramData\Sophos
2012-07-13 22:00:32 73728 ----a-r- C:\Users\Hasseth\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe1_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-13 22:00:32 73728 ----a-r- C:\Users\Hasseth\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\SVRTgui.exe_810EDD9E2F0A4E2BACF86673C38D9F48.exe
2012-07-13 22:00:32 73728 ----a-r- C:\Users\Hasseth\AppData\Roaming\Microsoft\Installer\{B829E117-D072-41EA-9606-9826A38D34C1}\ARPPRODUCTICON.exe
2012-07-13 22:00:29 -------- d-----w- C:\Program Files (x86)\Sophos
2012-07-12 13:47:00 3147264 ----a-w- C:\Windows\System32\win32k.sys
2012-07-11 20:10:54 1425408 ----a-w- C:\Program Files\Common Files\System\ado\msado15.dll
2012-07-11 20:10:53 987136 ----a-w- C:\Program Files (x86)\Common Files\System\ado\msado15.dll
2012-07-11 00:19:47 -------- d-----w- C:\Users\Hasseth\AppData\Roaming\CDisplayEx
2012-07-10 22:02:20 -------- d-----w- C:\Program Files (x86)\AVG
2012-07-10 21:59:16 -------- d--h--w- C:\ProgramData\Common Files
2012-07-10 21:59:16 -------- d-----w- C:\ProgramData\MFAData
2012-07-10 12:51:17 9013136 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3DA70F9D-C256-46A3-BAC4-B4D815E32E3D}\mpengine.dll
2012-07-10 02:07:26 -------- d-----w- C:\Users\Hasseth\AppData\Local\{FC5AAB1B-CA33-11E1-8270-B8AC6F996F26}
2012-07-07 12:58:46 74000 ----a-w- C:\Windows\SysWow64\msrclr40.dll
2012-07-07 12:58:46 74000 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Replication Manager 4.0\msrpfs40.dll
2012-07-07 12:58:46 557328 ----a-w- C:\Program Files\Common Files\Microsoft Shared\dao\dao360.dll
2012-07-07 12:58:46 45328 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Replication Manager 4.0\mstran40.exe
2012-07-07 12:58:46 37136 ----a-w- C:\Program Files\Common Files\Microsoft Shared\Replication Manager 4.0\mstrai40.exe
2012-07-07 12:58:46 28944 ----a-w- C:\Windows\SysWow64\msrecr40.dll
2012-07-07 12:58:17 89360 ----a-w- C:\Windows\SysWow64\VB5DB.DLL
2012-07-07 12:58:16 -------- d-----w- C:\TSO
2012-07-06 01:27:17 -------- d-----w- C:\Program Files (x86)\Microsoft Application Compatibility Toolkit
2012-07-05 22:49:05 -------- d-----w- C:\Program Files (x86)\Black Isle
2012-07-05 22:48:59 77824 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
2012-07-05 22:48:59 32768 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
2012-07-05 22:48:59 225280 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
2012-07-05 22:48:59 176128 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
2012-07-05 22:48:58 614532 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
2012-07-05 22:37:08 -------- d-----w- C:\Program Files\CCleaner
.
==================== Find3M ====================
.
2012-07-28 23:32:21 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-07-28 23:32:21 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-03 17:46:44 24904 ----a-w- C:\Windows\System32\drivers\mbam.sys
2012-06-06 05:50:50 2003968 ----a-w- C:\Windows\System32\msxml6.dll
2012-06-06 05:50:50 1880064 ----a-w- C:\Windows\System32\msxml3.dll
2012-06-06 05:09:46 1389568 ----a-w- C:\Windows\SysWow64\msxml6.dll
2012-06-06 05:09:46 1236992 ----a-w- C:\Windows\SysWow64\msxml3.dll
2012-06-02 22:15:31 2622464 ----a-w- C:\Windows\System32\wucltux.dll
2012-06-02 22:15:08 99840 ----a-w- C:\Windows\System32\wudriver.dll
2012-06-02 19:19:42 186752 ----a-w- C:\Windows\System32\wuwebv.dll
2012-06-02 19:15:12 36864 ----a-w- C:\Windows\System32\wuapp.exe
2012-06-02 05:38:26 95088 ----a-w- C:\Windows\System32\drivers\ksecdd.sys
2012-06-02 05:38:24 152432 ----a-w- C:\Windows\System32\drivers\ksecpkg.sys
2012-06-02 05:37:45 459216 ----a-w- C:\Windows\System32\drivers\cng.sys
2012-06-02 05:27:02 340992 ----a-w- C:\Windows\System32\schannel.dll
2012-06-02 05:27:00 307200 ----a-w- C:\Windows\System32\ncrypt.dll
2012-06-02 04:48:39 22016 ----a-w- C:\Windows\SysWow64\secur32.dll
2012-06-02 04:48:35 225280 ----a-w- C:\Windows\SysWow64\schannel.dll
2012-06-02 04:47:31 219136 ----a-w- C:\Windows\SysWow64\ncrypt.dll
2012-06-02 04:42:51 96768 ----a-w- C:\Windows\SysWow64\sspicli.dll
2012-05-09 03:36:05 955848 ----a-w- C:\Windows\System32\npDeployJava1.dll
2012-05-09 03:36:05 839112 ----a-w- C:\Windows\System32\deployJava1.dll
2012-05-04 10:52:22 5505392 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-05-04 10:08:16 3958128 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-05-04 10:08:15 3902320 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
.
============= FINISH: 13:11:39.05 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 06 August 2012 - 09:27 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Nothing suspicious was found in you logs.

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#3 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 06 August 2012 - 11:09 AM

ADW cleaner log.

# AdwCleaner v1.800 - Logfile created 08/06/2012 at 12:02:02
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Hasseth - HASSETH-PC
# Running from : C:\Users\Hasseth\Desktop\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Found : HKLM\SOFTWARE\DT Soft

***** [Registre - GUID] *****

Key Found : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}
[x64] Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

[HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://blekko.com?source=c3348dd4&tbp=homepage&toolbarid=blekkotb&u=20120330CE234B61AB5B6DB1B4A8E7DC

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Hasseth\AppData\Roaming\Mozilla\Firefox\Profiles\gl0zw8e0.default\prefs.js

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1183 octets] - [06/08/2012 12:02:02]

########## EOF - C:\AdwCleaner[R1].txt - [1311 octets] ##########





Security Check log

Results of screen317's Security Check version 0.99.43
Windows 7 x64 (UAC is enabled)
Out of date service pack!!
Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Norton Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.62.0.1300
Java™ 6 Update 31
Java version out of Date!
Adobe Reader X (10.1.1)
Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````
Norton ccSvcHst.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


Thank you for your help. If you need anything else, please ask.

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 06 August 2012 - 03:13 PM

I suggest you clean what has been identified with AdwCleaner.

  • Please close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Delete.
  • Confirm each time with OK.
  • Your computer will be rebooted automatically. A text file will open after the restart.
  • Please post the content of that logfile in your reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.

Restart the computer normally.
===

Secure your system by updating 3rd party programs.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

Check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

If present remove the old version(s) of Java using the Add/Remove Programs applet.


Java™ 6 Update 31


===

Learn how to install Windows 7 Service Pack 1 (SP1)
http://windows.microsoft.com/installwindows7sp1

Click the Out of date service pack!! on the SecurityCheck log and update your Service Pack.
<<<>>>

#5 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 06 August 2012 - 08:10 PM

# AdwCleaner v1.800 - Logfile created 08/06/2012 at 21:06:21
# Updated 01/08/2012 by Xplode
# Operating system : Windows 7 Home Premium (64 bits)
# User : Hasseth - HASSETH-PC
# Running from : C:\Users\Hasseth\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKLM\SOFTWARE\DT Soft

***** [Registre - GUID] *****

Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{3BD44F0E-0596-4008-AEE0-45D47E3A8F0E}

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.7600.16385

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://blekko.com?source=c3348dd4&tbp=homepage&toolbarid=blekkotb&u=20120330CE234B61AB5B6DB1B4A8E7DC --> hxxp://www.google.com

-\\ Mozilla Firefox v14.0.1 (en-US)

Profile name : default
File : C:\Users\Hasseth\AppData\Roaming\Mozilla\Firefox\Profiles\gl0zw8e0.default\prefs.js

C:\Users\Hasseth\AppData\Roaming\Mozilla\Firefox\Profiles\gl0zw8e0.default\user.js ... Deleted !

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [1310 octets] - [06/08/2012 12:02:02]
AdwCleaner[S1].txt - [262 octets] - [06/08/2012 21:01:59]
AdwCleaner[S2].txt - [1330 octets] - [06/08/2012 21:06:21]

########## EOF - C:\AdwCleaner[S2].txt - [1458 octets] ##########

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 07 August 2012 - 08:05 AM

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#7 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 07 August 2012 - 11:08 PM

It would seems that all is not well. I still seem to be getting redirected. Any other ideas?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 08 August 2012 - 07:56 AM

Try this.

Go Posted Image > run box and type cmd and hit OK
type
ipconfig /flushdns <-- (The space between g and / is needed) press the Enter key.

repeat with
ipconfig /renew

Then type Exit, hit the Enter key
*/*

If no joy, continue.

Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains]


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.

On a Vista or Windows 7 operating system right click on the fixme.reg file and run as Administrator.

Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
===

If the problem persists and you are using a router, it may be compromised.
How to Reset a Router Back to the Factory Default Settings
http://www.ehow.com/how_2110924_reset-back-factory-default-settings.html

Then, please reconfigure it back to your preferred setting.. Below is the list of default username and password, should you don't know it ;)

http://www.routerpasswords.com/
http://www.phenoelit-us.org/dpl/dpl.html
===

Reset for Linksys, Netgear, D-Link and Belkin Routers
http://www.techsupportforum.com/2763-reset-for-linksys-netgear-d-link-and-belkin-routers/

How to Secure Your Wireless Router
http://www.ehow.com/how_2253625_secure-wireless-router.html

Keep me posted.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 14 August 2012 - 08:24 AM

Are you still with me?

#10 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 August 2012 - 08:50 AM

Sorry. I must have missed an email saying you had replied. I just did what you asked me to do. I will respond in a couple of days with whether I have been redirected or not. It seems unlikely that the problem is my router, as it has a unique password, and I had the same problem at a public hotspot.

I'll get back to you soon with results.

#11 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 August 2012 - 08:51 AM

Scratch that. My first test link redirected.

#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 14 August 2012 - 01:40 PM

Lets scan with these tools.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 20 August 2012 - 09:35 AM

Are you still with me?

#14 hasseth

hasseth
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 20 August 2012 - 06:42 PM

I've reinstalled Windows. It seems to have worked.

#15 nasdaq

nasdaq

  • Malware Response Team
  • 38,747 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:03:36 AM

Posted 21 August 2012 - 07:51 AM

Thanks for the feedback.

I will close this topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users